So, for this week one blog I wanted
to focus on the difference between security and privacy in the healthcare
industry. I actually started this blog about healthcare information security
when I took CIS608 in 2017. I chose the topic because in 2006 my personal
health information was possibly compromised. I saw possibly because they had no
idea what was actually taken, only that there had been a breach. So of course,
the fix was monitor your credit information, except back then they did not
offer the funds to do so. If you read my blogs dating back to CIS608 you will
see that not much has changed and in fact, breaches are still quite common. So,
what is the difference between privacy and security?
The Health Insurance Portability and Accountability Act of 1996 (HIPPA), Public Law 104-191, is the way privacy and security are addressed in law. In fact, from that law the U.S. Department of Health & Human Services (HHS) established several different rules. Two of those rules that are applicable to this blog were the Privacy Rule of December 2000 and the Security Rule which was published in February 2003.
You can find a lot of information
on the privacy rule directly from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
According to their site the information that is protected includes “demographic
data that relates to an individual’s past, present, or future physical or
mental health or condition”, “the provision of health care to the individual”,
and even payments. So, therapist notes or your medical records are considered
and can’t be released without your information with the exception of a few
special cases. For example, if you are a serious threat to health or safety.
The HHS Security Rule can also be
found at https://www.hhs.gov/hipaa/for-professionals/security/index.html.
It “establishes national standards to protect individuals’ electronic personal health
information that is created, received, used, or maintained by a covered entity”.
As this comment states it only applies to electronic health data. It aims to
protect the CIA triangle (confidentiality, availability, and integrity). This rule
protects all personal information that could be associated with you. It requires
several different types of safeguards. These are administrative, physical, and
technical. Some of the administrative safeguards include assigning a security
official and conducted evaluations (audits) that they are meeting the requirements.
Physical safeguards primary deal with physical access to facilities and
systems. Technical controls include measures to protect data like encryption.
Both of these rules have pages of
information about them. I just highlighted some of them to help explain the difference
between the two. So, to break this down, things I am allergic to is my private
information. Security is what protects that information. Making sure that
medical personnel have to use some sort of authorization to access those files.
Also, when transferring that information, they must protect it in transit. This
is also a reason the medical offices typically ask if you are willing to share
your information. You can deny this option; however, a good reason to allow it
is quick access to those files. For example, if you were to get injured in
another state, your medical provider could send them your files if you had signed
allowing them to do that. They have the responsibility to protect that information
when they do send it.
So, you may be asking
why would these rules even matter. As I mentioned in the beginning my medical
records were potentially compromised. Do you know what kind of information is
in these files? These contain social security numbers, home addresses, and your
health histories, including family history. Thus, there is very lucrative
information there. In fact according to https://www.cnbc.com/2014/05/29/hackers-are-coming-after-your-medical-records.html,
medical records were selling for $20 on the black market. It also does not help
that the medical providers have weak security. Just like the WannaCry virus that
targeted older operating systems that Windows no longer supported like XP. Most
health companies use these older systems. In fact looking at the chart below, it
is projected that medical breaches will impact 1 in 13 patients over 5 years (https://www.computerworld.com/article/3090566/hackers-are-coming-for-your-healthcare-records-heres-why.htmlv).
No comments:
Post a Comment